Support » Theme: AccessPress Parallax » Arbitrary File Upload vulnerability

Viewing 6 replies - 1 through 6 (of 6 total)
  • I think it is already fixed.
    It should be the plugin “Access Demo Importer” and not the theme, see this link
    https://security-tracker.debian.org/tracker/CVE-2021-39317

    And version 1.07 is fixed some months ago.
    The plugin is only installed if you import demo content.

    peterha7,

    I think it is already fixed.

    No.

    It should be the plugin “Access Demo Importer” and not the theme

    Wrong. Arbitrary File Upload vulnerability is directly related to the theme.

    Thread Starter dynamek

    (@dynamek)

    Yep thanks @yoruoni it is the theme and not fixed. I don’t have that plugin installed @peterha7

    Thread Starter dynamek

    (@dynamek)

    Looks like the theme has been pulled from WordPress – I take it there will be no fix? Be grateful for an answer to clarify!

    https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins-from-accesspress-themes/

    @yoruoni you are right.

    @dynamek good information!
    …if it is only plugin_offline_installer_callback function found in the welcome/welcome.php file it should help to place die(); at the beginning of this function and remove or comment out this line
    add_action( 'wp_ajax_plugin_offline_installer', array( $this, 'plugin_offline_installer_callback' ) );

    This disables the demo importer functionality.

    • This reply was modified 8 months, 1 week ago by peterha7.
    Yoru Oni

    (@yoruoni)

    peterha7,

    This disables the demo importer functionality.

    It’s better not to use products of a dubious vendor I believe.

    Speaks for itself that the vendor receives warnings about the presence of critical vulnerabilities and simply ignores this information for months, continuing to keep its customers at risk.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Arbitrary File Upload vulnerability’ is closed to new replies.